Uploaded image for project: 'Cloud Enablement'
  1. Cloud Enablement
  2. CLOUD-3209

[7.2.x-openjdk11] SSO_SECRET parameter should be required if configuring RH-SSO integration

    XMLWordPrintable

Details

    • Cloud Sprint 36

    Description

      Today, when an user is configuring the RH-SSO integration with EAP base images, if the SSO_SECRET parameter is not set, the keycloak subsystem will be created with an empty credential:

      <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
   <realm name="bsig">
      <!-- ##KEYCLOAK_PUBLIC_KEY## -->
      <auth-server-url>https://sso-cicd.192.168.99.100.nip.io/auth</auth-server-url>
      <register-node-at-startup>true</register-node-at-startup>
      <register-node-period>600</register-node-period>
      <ssl-required>external</ssl-required>
      <disable-trust-manager>true</disable-trust-manager>
      <!-- ##KEYCLOAK_TRUSTSTORE## -->
      <allow-any-hostname>false</allow-any-hostname>
   </realm>
   <secure-deployment name="ROOT.war">
      <realm>bsig</realm>
      <resource>root</resource>
      <auth-server-url>https://sso-cicd.192.168.99.100.nip.io/auth</auth-server-url>
      <enable-basic-auth>true</enable-basic-auth>
      <credential name="secret" />
      <enable-cors>false</enable-cors>
      <bearer-only>false</bearer-only>
      <principal-attribute>preferred_username</principal-attribute>
   </secure-deployment>
</subsystem>
<!-- ##KEYCLOAK_SAML_SUBSYSTEM## -->

      This will cause WARN messages like this:

      16:15:58,005 WARN  [org.keycloak.adapters.authentication.ClientIdAndSecretCredentialsProvider] (pool-25-thread-1) Client 'root' doesn't have secret available
16:15:58,013 ERROR [org.keycloak.adapters.NodesRegistrationManagement] (pool-25-thread-1) failed to register node to keycloak
16:15:58,013 ERROR [org.keycloak.adapters.NodesRegistrationManagement] (pool-25-thread-1) status from server: 400
16:15:58,013 ERROR [org.keycloak.adapters.NodesRegistrationManagement] (pool-25-thread-1)    {"error":"unauthorized_client","error_description":"INVALID_CREDENTIALS: Invalid client credentials"}

      The integration will fail and the application will not authenticate against the RH-SSO.

      We recommend logging an error message during the subsystem configuration alerting the user to set the SSO_SECRET parameter before creating a client with an empty credential.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. CLOUD-3208 [7.2.x] SSO_SECRET parameter should be required if configuring RH-SSO integration

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • New
          is incorporated by

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) CLOUD-3219 EAP 7.2.2-opendk11 OpenShift Image release

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rhn-support-zanini Ricardo Zanini Fernandes
              rhn-support-zanini Ricardo Zanini Fernandes
              Ken Wills
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: